Ganeti 2.2 introduced inter-cluster instance moves
and replaced the import/export mechanism with the same technology. It’s
since shown that the chosen implementation was too complicated and and
can be difficult to debug.

The old implementation is henceforth called “version 1”. It used
socat in combination with a rather complex tree of bash and
Python utilities to move instances between clusters and import/export
them inside the cluster. Due to protocol limitations, the master daemon
starts a daemon on the involved nodes and then keeps polling a status
file for updates. A non-trivial number of timeouts ensures that jobs
don’t freeze.

In version 1, the destination node would start a daemon listening on a
random TCP port. Upon receiving the destination information, the source
node would temporarily stop the instance, create snapshots, and start
exporting the data by connecting to the destination. The random TCP port
is chosen by the operating system by binding the socket to port 0.
While this is a somewhat elegant solution, it causes problems in setups
with restricted connectivity (e.g. iptables).

Another issue encountered was with dual-stack IPv6 setups. socat can
only listen on one protocol, IPv4 or IPv6, at a time. The connecting
node can not simply resolve the DNS name, but it must be told the exact
IP address.

Instance OS definitions can provide custom import/export scripts. They
were working well in the early days when a filesystem was usually
created directly on the block device. Around Ganeti 2.0 there was a
transition to using partitions on the block devices. Import/export
scripts could no longer use simple dump and restore commands,
but usually ended up doing raw data dumps.

The following design is mostly targetted at inter-cluster instance
moves. Intra-cluster import and export use the same technology, but do
so in a less complicated way (e.g. reusing the node daemon certificate
in version 1).

Support for instance OS import/export scripts, which have been in Ganeti
since the beginning, will be dropped with this design. Should the need
arise, they can be re-added later.

Instead of a home-grown, mostly raw protocol the widely used HTTP
protocol will be used. Ganeti already uses HTTP for its Remote API and inter-node communication. Encryption and authentication will
be implemented using SSL and X509 certificates.

The source machine will identify connecting clients by their SSL
certificate. Unknown certificates will be refused.

Version 1 created a new self-signed certificate per instance
import/export, allowing the certificate to be used as a Certificate
Authority (CA). This worked by means of starting a new socat
instance per instance import/export.

Under the version 2 model, a continously running HTTP server will be
used. This disallows the use of self-signed certificates for
authentication as the CA needs to be the same for all issued
certificates.

Local imports/exports will, like version 1, use the node daemon’s
certificate/key. Doing so allows the verification of local connections.
The client’s certificate can be exported to the CGI/FastCGI handler
using lighttpd’s ssl.verifyclient.exportcert setting. If a
cluster-local import/export is being done, the handler verifies if the
used certificate matches with the local node daemon key.

The source can be the same physical machine as the destination, another
node in the same cluster, or a node in another cluster. A
physical-to-virtual migration mechanism could be implemented as an
alternative source.

In the case of a traditional import, the source is usually a file on the
source machine. For exports and remote imports, the source is an
instance’s raw disk data. In all cases the transported data is opaque to
Ganeti.

All nodes of a cluster will run an instance of Lighttpd. The
configuration is automatically generated when starting Ganeti. The HTTP
server is configured to listen on IPv4 and IPv6 simultaneously.
Imports/exports will use a dedicated TCP port, similar to the Remote
API.

The source cluster is provided with a X509 Certificate Signing Request
(CSR) for a key private to the destination cluster.

After shutting down the instance, creating snapshots and restarting the
instance the master will sign the destination’s X509 certificate using
the X509 CA once per instance disk. Instead of
using another identifier, the certificate’s serial number (never
reused) and fingerprint are used to identify incoming
requests. Once ready, the master will call an RPC method on the source
node and provide it with the input information (e.g. file paths or block
devices) and the certificate identities.

The RPC method will write the identities to a place accessible by the
HTTP request handler, generate unique transfer IDs and return them to
the master. The transfer ID could be a filename containing the
certificate’s serial number, fingerprint and some disk information. The
file containing the per-transfer information is signed using the node
daemon key and the signature written to a separate file.

Once everything is in place, the master sends the certificates, the data
and notification URLs (which include the transfer IDs) and the public
part of the source’s CA to the job submitter. Like in version 1,
everything will be signed using the cluster domain secret.

Upon receiving a request, the handler verifies the identity and
continues to stream the instance data. The serial number and fingerprint
contained in the transfer ID should be matched with the certificate
used. If a cluster-local import/export was requested, the remote’s
certificate is verified with the local node daemon key. The signature of
the information file from which the handler takes the path of the block
device (and more) is verified using the local node daemon certificate.
There are two options for handling requests, CGI and FastCGI.

To wait for all requests to finish, the master calls another RPC method.
The destination should notify the source once it’s done with downloading
the data. Since this notification may never arrive (e.g. network
issues), an additional timeout needs to be used.

There is no good way to avoid polling as the HTTP requests will be
handled asynchronously in another process. Once, and if, implemented
RPC feedback could be used to combine the two RPC
methods.

Upon completion of the transfer requests, the instance is removed if
requested.

Unlike plain CGI, FastCGI scripts are run separately from the webserver.
The webserver talks to them via a Unix socket. Webserver and scripts can
run as separate users. Unlike for CGI, there are almost no bootstrap
costs attached to each request.

The FastCGI protocol requires data to be sent in length-prefixed
packets, something which wouldn’t be very efficient to do in Python for
large amounts of data (instance imports/exports can be hundreds of
gigabytes). For this reason the proposal is to use a wrapper program
written in C (e.g. fcgiwrap) and to write the handler
like an old-style CGI program with standard input/output. If data should
be copied from a file, cat, dd or socat can be used (see
note about sendfile(2)/splice(2) with Python).

The bootstrap cost associated with starting a Python interpreter for
a disk export is expected to be negligible.

The spawn-fcgi
program will be used to start the CGI wrapper as “root”.

FastCGI is, in the author’s opinion, the better choice as it allows user
separation. As a first implementation step the export handler can be run
as a standard CGI program. User separation can be implemented as a
second step.

The destination can be the same physical machine as the source, another
node in the same cluster, or a node in another cluster. While not
considered in this design document, instances could be exported from the
cluster by implementing an external client for exports.

For traditional exports the destination is usually a file on the
destination machine. For imports and remote exports, the destination is
an instance’s disks. All transported data is opaque to Ganeti.

Before an import can be started, an RSA key and corresponding
Certificate Signing Request (CSR) must be generated using the new opcode
OpInstanceImportPrepare. The returned information is signed using
the cluster domain secret. The RSA key backing the CSR must not leave
the destination cluster. After being passed through a third party, the
source cluster will generate signed certificates from the CSR.

Once the request for creating the instance arrives at the master daemon,
it’ll create the instance and call an RPC method on the instance’s
primary node to download all data. The RPC method does not return until
the transfer is complete or failed (see EXP_SIZE_FD
and RPC feedback).

The node will use pycURL to connect to the source machine and identify
itself with the signed certificate received. pycURL will be configured
to write directly to a file descriptor pointing to either a regular file
or block device. The file descriptor needs to point to the correct
offset for resuming downloads.

Using cURL’s multi interface, more than one transfer can be made at the
same time. While parallel transfers are used by the version 1
import/export, it can be decided at a later time whether to use them in
version 2 too. More investigation is necessary to determine whether
CURLOPT_MAXCONNECTS is enough to limit the number of connections or
whether more logic is necessary.

If a transfer fails before it’s finished (e.g. timeout or network
issues) it should be retried using an exponential backoff delay. The
opcode submitter can specify for how long the transfer should be
retried.

At the end of a transfer, succssful or not, the source cluster must be
notified. A the same time the RSA key needs to be destroyed.

Support for HTTP proxies can be implemented by setting
CURLOPT_PROXY. Proxies could be used for moving instances in/out of
restricted network environments or across protocol borders (e.g. IPv4
networks unable to talk to IPv6 networks).

Note that the parameters should be implemented in a generic way
allowing future extensions, e.g. to download disk images from a
public, remote server. The cluster domain secret allows Ganeti to
check data received from a third party, but since this won’t work
with such extensions, other checks will have to be designed.

Create block devices

Download every disk from source, verified using remote’s CA and
authenticated using signed certificates

The HTTP resources listed below will be made available by the source
machine. The transfer ID is generated while preparing the export and is
unique per disk and instance. No caching should be used and the
Pragma (HTTP/1.0) and Cache-Control (HTTP/1.1) headers set
accordingly by the server.

Specify preferred media types. Only one type is supported in the
initial implementation:

application/octet-stream

Request raw disk content.

If support for more media types were to be implemented in the
future, the “q” parameter used for “indicating a relative quality
factor” needs to be used. In the meantime parameters need to be
expected, but can be ignored.

If support for OS scripts were to be re-added in the future, the
MIME type application/x-ganeti-instance-export is hereby
reserved for disk dumps using an export script.

If the source can not satisfy the request the response status code
will be 406 (Not Acceptable). Successful requests will specify the
used media type using the Content-Type header. Unless only
exactly one media type is requested, the client must handle the
different response types.

Specify desired content coding. Supported are identity for
uncompressed data, gzip for compressed data and * for any.
The response will include a Content-Encoding header with the
actual coding used. If the client specifies an unknown coding, the
response status code will be 406 (Not Acceptable).

If the client specifically needs compressed data (see
Compression) but only gets identity, it can
either compress locally or abort the request.

Raw disk dumps can be resumed using this header (e.g. after a
network issue).

If this header was given in the request and the source supports
resuming, the status code of the response will be 206 (Partial
Content) and it’ll include the Content-Range header as per
RFC 2616. If it does not support resuming or the request was not
specifying a range, the status code will be 200 (OK).

Only a single byte range is supported. cURL does not support
multipart/byteranges responses by itself. Even if they could be
somehow implemented, doing so would be of doubtful benefit for
import/export.

For raw data dumps handling ranges is pretty straightforward by just
dumping the requested range.

cURL will fail with the error code CURLE_RANGE_ERROR if a
request included a range but the server can’t handle it. The request
must be retried without a range.

POST/transfers/[transfer_id]/done

Use this resource to notify the source when transfer is finished (even
if not successful). The status code will be 204 (No Content).

The old inter-cluster import/export implementation described in the
Ganeti 2.2 design document will be supported for at
least one minor (2.x) release. Intra-cluster imports/exports will use
the new version right away.

Together with the improved import/export infrastructure Ganeti 2.2
allowed instance export scripts to report the expected data size. This
was then used to provide the user with an estimated remaining time.
Version 2 no longer supports OS import/export scripts and therefore
EXP_SIZE_FD is no longer needed.

Version 1 used explicit compression using gzip for transporting
data, but the dumped files didn’t use any compression. Version 2 will
allow the destination to specify which encoding should be used. This way
the transported data is already compressed and can be directly used by
the client (see HTTP resources on source). The cURL option
CURLOPT_ENCODING can be used to set the Accept-Encoding header.
cURL will not decompress received data when
CURLOPT_HTTP_CONTENT_DECODING is set to zero (if another HTTP client
library were used which doesn’t support disabling transparent
compression, a custom content-coding type could be defined, e.g.
x-ganeti-gzip).

The HTTP/1.1 protocol (RFC 2616) defines trailing headers for chunked
transfers in section 3.6.1. This could be used to transfer a checksum at
the end of an import/export. cURL supports trailing headers since
version 7.14.1. Lighttpd doesn’t seem to support them for FastCGI, but
they appear to be usable in combination with an NPH CGI (No Parsed
Headers).

Lighttpd allows FastCGI applications to send the special headers
X-Sendfile and X-Sendfile2 (the latter with a range). Using
these headers applications can send response headers and tell the
webserver to serve regular file stored on the file system as a response
body. The webserver will then take care of sending that file.
Unfortunately this mechanism is restricted to regular files and can not
be used for data from programs, neither direct nor via named pipes,
without writing to a file first. The latter is not an option as instance
data can be very large. Theoretically X-Sendfile could be used for
sending the input for a file-based instance import, but that’d require
the webserver to run as “root”.

Python does not include interfaces for the sendfile(2) or
splice(2) system calls. The latter can be useful for faster copying
of data between file descriptors. There are some 3rd-party modules (e.g.
http://pypi.python.org/pypi/py-sendfile/) and discussions
(http://bugs.python.org/issue10882) for including support for
sendfile(2), but the later is certainly not going to happen for the
Python versions supported by Ganeti. Calling the function using the
ctypes module might be possible.

The design described above was confirmed to be one of the better choices
in terms of download performance with bigger block sizes. All numbers
were gathered on the same physical machine with a single CPU and 1 GB of
RAM while downloading 2 GB of zeros read from /dev/zero. wget
(version 1.10.2) was used as the client, lighttpd (version 1.4.28)
as the server. The numbers in the first line are in megabytes per
second. The second line in each row is the CPU time spent in userland
respective system (measured for the CGI/FastCGI program using time-v).

It should be mentioned that the flup library is not implemented in
the most efficient way, but even with some changes it doesn’t get much
faster. It is fine for small amounts of data, but not for huge
transfers.

Another possible solution considered was to use socat like version 1
did. Due to the changing model, a large part of the code would’ve
required a rewrite anyway, while still not fixing all shortcomings. For
example, socat could still listen on only one protocol, IPv4 or
IPv6. Running two separate instances might have fixed that, but it’d get
more complicated. Using an existing HTTP server will provide us with a
number of other benefits as well, such as easier user separation between
server and backend.